Todd Hall and Bob White
May 11, 2010
Objectives/topics
Context setting
Credibility why is it critical? Can it be enhanced through verification?
What is meant by verification? Is there a common understanding?
Verification vs. assurance?
Determining the ROI related to assurance.
Exploring verification options.
Do different types of verification influence perceived/real credibility?
Assurance of claims of CSR performance using instruments such as GRI,
AA1000AS, ISO 26000.
The value of reporting - issues related to the lack of ‘Sustainability Reporting’.
ISO 26000 and GRI – verification
ISO 26000 – “In Use”
Context Setting
Much of what I’ll be presenting today comes from experience.
In terms of verification OPG;
has self assessment, and internal audit programs.
has participated in auditor exchange programs with other utilities for over 2o
years, and
is subject to frequent reviews from regulators, registrars, and assurance
auditors.
OPG has ISO 9001/14001 & OHSAS 18001 registrations, along with integrated MSs.
OPG has been producing SD reports for over 10 years, and has experimented with
3rd party assurance, 2nd party assurance and have provided assurance statements,
founded in self declaration.
I have 20 years audit experience, & sit on the Board of Directors of the Auditing
Association of Canada.
Credibility
Credibility: the state or quality of being credible.
Credible: capable of being believed, worthy of reliance or
confidence as to the truth and correctness.
Why is credibility critical?
Essential for maintaining sound stakeholders relationships which
are essential for business success, franchise to operate.
It is an attribute of being a responsible corporate citizen.
There is little point in expending resources to write the report if it is
not perceived as credible.
Verification
To verify – to prove to be true, to confirm, to establish the
truth, correctness or authenticity.
Verification should lead to assurance of credibility.
Assuming that;
the exercise actually gives you what you assume i.e.
reliable, and accurate, and
you understand the caveats and qualifications stated.
Assurance for Verification of Claims - (GRI G3)
GRI recommends the use of professional assurance providers,
stakeholder panels, and other groups or individuals external to the
organization for sustainability reports in addition to any internal
resources.
‘External assurance’ refers to activities resulting in published conclusions
on the quality of the report & the information contained within it
including consideration of underlying processes for preparing it.
Differs from activities designed to assess or validate the quality or level
of performance of an organization, such as issuing performance
certifications or compliance assessments.
Assurance Standard - (AA 1000 AS)
GRI states that assurance providers may follow professional
standards for assurance (AA1000AS), or systematic,
documented, & evidence-based processes.
AA 1000 AS is intended for use by sustainability assurance
practitioners and providers to strengthen the quality &
credibility of an organisation’s public disclosures on its
sustainability performance.
It covers the full range of an organisation’s disclosure & associated
performance.
It draws from & builds on mainstream financial, environmental &
quality-related assurance.
Misconceptions
Common misconceptions related to 3rd party audits;
Registration to an ISO standard is perceived by many as
assurance of high quality, or high performance, this is
not necessarily the case – ISO 9001 is intended to be
assurance of consistent quality.
The quality of 3rd party audits is consistently high – and
reliable.
3rd party auditors are truly free from influence.
Assurance audits are intended to provide stakeholders
with high confidence.
Independence is Not a Synonym for Credibility
3rd party verification may help demonstrate due diligence,
however - blind reliance on 3rd party verifications may
undermine the notion of reasonable care.
experience has shown that ISO MS registrations do not provide
the degree & consistency of assurance that customers require
– not credible despite being 3rd party - we satisfy ourselves
through audit.
when & where we audit is based on our perception of risk &
degree of confidence.
Assurance Statements
3rd Party Assurance
Imagine if you will a multinational organization (ACME) having its 2009
Sustainability Review report evaluated for Inclusivity, Materiality and
Responsiveness using the AA1000AS (2008) assurance principles.
The organization conducting the assurance review is a well established assurance
company.
GRI
This same report is aligned to the GRI’s G3 sustainability reporting guidelines, to an
A+ level.
The GRI guidelines help ensure ACME covers relevant topics, identified by a
broader range of stakeholders, which are generic to sustainability reporting by any
organization.
An independent assurance statement was included in the report.
What is the real vs. perceived value?
Actual vs. Perceived value.
What should stakeholders believe?
Later in the year of publication the company had a significant event (environmental & H&S).
A critical review of the assurance statement reveals the following caveats;
The extent of evidence gathering procedures performed is less than that of a reasonable assurance
engagement (such as a financial audit) and therefore a lower level of assurance is provided.
Work was limited to group level activities. We did not visit any of ACME’s businesses
We are not aware of any matters that would lead us to conclude that ACME has not applied the inclusivity
principle in developing its approach to sustainability or the responsiveness principle.
Nothing has come to our attention that causes us to believe that the data relating to the above topics has not
been collated properly from group-wide systems.
We are not aware of any errors that would materially affect the data as presented in the Report.
We are not aware of any misstatements in the assertions made.
We do not accept or assume any responsibility for any reliance any third party may place on the Report.
How many stakeholders took the time to understand the caveats and limitations?
Did the assurance process meet the perceptions of stakeholders?
Reporting - Desirable Attributes
Open, honest, transparent and credible.
Only the stakeholder can decide whether the report is
credible. Perception = reality.
Does 3rd party verification improve stakeholder
confidence – or perception of credibility?
TRANSPARENCY, HONESTY, OPENNESS ARE ATRIBUTES
THAT WE STRIVE FOR IN REPORTING.
Credibility may be aspired to, but in truth only our stakeholders can
determine whether the report is credible in their eyes.
How can one achieve credibility? Various groups would have you believe
that only through a third party independent verification process can one
achieve credibility. I would like to challenge that paradigm and offer some
alternative thoughts.
1. 3rd party verification is time consuming and costly. What is the ROI?
2. Do stakeholders really want 3rd party verification or is this a bill of goods sold
by those who offer the service.
3. If not a legal or other requirement that you have committed to – then I suggest
that credibility can be achieved in a variety of ways.
Pro’s & Cons of 3rd Party Assurance
Pros:
Real or perceived independence & objectivity.
Fresh perspective.
In theory adds credibility to claims.
Cons
Costs - schedule, resource and financial (questionable ROI).
Loss of opportunity – capacity building to develop and retain
the knowledge within the organization.
Less intimate knowledge of operations/processes.
Perception of credibility where influence can be exerted
through financial relationship.
Select the Right Tool for the Job
Each of us have a variety of tools in our tool box. A good
craftsman selects the right tool for the job. While a
sledgehammer will drive home a finishing nail it may not
be the best fit.
How do you pick the best approach?
Understand any requirements, other commitments that
compels/incents you to get 3rd party verification.
Be aware of stakeholder expectations.
Identify controls & assess whether they provide the desired level of
assurance.
Classification of Audit Independence
1st party or internal audits - conducted by or on behalf of the
organization and may form the basis of declaration of
conformity (19011) independence can be demonstrated by
having freedom from responsibility for the activity being
audited.
2nd party audits; external audits – conducted by parties having
an interest in the organization, such as customers or by others
on their behalf.
3rd party audits.; external audits conducted by external
independent auditing organizations such as those providing
registration or conformity audits.
Exploring Verification Assurance Options.
Credibility can be achieved a number of ways – engaging stakeholders routinely
and having open lines of communication typically builds more credibility than a
verified annual report.
Chose the right tool for the job.
Understand what the verification/assurance statements do and don’t mean.
If 3rd party not required consider alternate approaches.
perceived assurance;
subject knowledge;
audit technique knowledge; cost
Self Assessment
Low
high
Low
Low
1st party
Moderate
Moderate
High
Low
2nd party
High
Moderate
High
Moderate
3rd Party
High
Low
High
High
Recommendations
Ask yourself whether 2nd or 3rd party audits are truly more independent &
reliable – or is this simply a perception.
Recommendation 1
Use a “qualified auditor” – someone with the competence to conduct the
audit – most are governed by a code of conduct.
All should adhere to the principles of auditing – ethical conduct, fair
presentation, due professional care, independence and evidence based
approach.
Recommendation 2
Understand the requirements and select the right approach to achieve the
desired results.
Do not automatically default to or assume the stakeholders want a 3rd
party audit.
ISO 26000 and GRI
GRI and ISO 26000 clause 6
only
GRI addressed in cl. 7.5
Not in GRI:
Clause 4: Principles of SR
Clause 5: Stakeholder
identification and engagement
Clause 7: Integration of SR into
organization
We are using GRI
Verification …
(ISO 26000:2010 Social Responsibility)
1. Clause ‘7.6.2 Enhancing the credibility of reports and claims
about social responsibility’ describes the many ways
organizations can enhance the credibility of their reports and
claims including:
‘using a rigorous and responsible process of verification by
an individual or individuals independent of the process of
report preparation, either within the organization or
external to it such as stakeholder groups,
to undertake the verification process and publishing a
statement attesting to the verification as part of the report’
Verification
(ISO 26000:2010 Social Responsibility)
2. The verification process could also include reporting
conformance to the reporting guidelines of an external
organization such as those outlined in the Annex to ISO 26000
3. Annex A contains a non-exhaustive list of voluntary initiatives
and tools for social responsibility by the ISO 26000 working
group experts using a specific set of criteria that are described
in Annex A
4. Two of the many initiatives in Annex A that can be used to
enhance creditability are the Global Reporting Initiative (GRI)
Sustainability Reporting Framework and AA1000 Assurance
Standard (2008)
Why ISO 26000 Social Responsibility?...
1.
Social Responsibility fits the ISO strategy for standards that are market
and globally relevant and create a sustainable world.
2.
ISO MOU with ILO, UN Global Compact and OECD
3.
Consistent with international treaties and conventions and existing ISO
standard, UN Declarations and ILO
4.
Over 175 international SR instruments in Bibliography,
5.
Over 500 experts in SR from over 100 countries
6.
First time ISO used a ‘balanced stakeholder approach’: industry, labour,
government, NGOs, consumers, others
McDonalds
ISO 26000:2010 in Use
1.
Canadian Electricity Association: Sustainability
2.
Vancouver Olympic Games 2010: CSA Z2010 Sustainable Event standard
3.
Responsible Exploration and Mining: DeBeers Canada
4.
Canadian Climate Change Adaptation Project
5.
Socially Responsible Investing (SRI)
6.
Universities: Canada: Ryerson, Toronto, Waterloo, Mexico: Autonoma
Metropolitana, Iberoamericana, Guanajuato: ‘Responsible Education’
7.
Seneca College: 46 graduate students assisting 46 companies using ISO 26000
FDIS
Contact
Todd Hall, OPG
1-416-592-1708
todd.hall@opg.com
Bob White, BRI International Inc.
1-416-368-1457
bob@bri.ca